Hello Jorge, you have to enable radius-acct service. It´s radius-acct who is able to proxy the request to another server, not pfacct (btw you can keep it enabled).
Regards Fabrice Le mer. 9 févr. 2022 à 19:21, Jorge Nolla <jno...@gmail.com> a écrit : > > Another configuration file with references to the billing server Splynx: > > [root@wifi raddb]# cat mods-config/perl/multi_domain_constants.pm > package multi_domain_constants; > > our $VAR1 = { > '1' => { > 'ConfigRealm' => { > 'local' => { > 'radius_strip_username' > => 'disabled', > 'eap' => 'default', > 'admin_strip_username' > => 'disabled', > 'portal_strip_username' > => 'disabled' > }, > 'default' => { > > 'radius_acct_proxy_type' => 'load-balance', > > 'radius_auth_compute_in_pf' => 'disabled', > > 'eduroam_radius_auth_proxy_type' => 'keyed-balance', > > 'radius_auth_proxy_type' => 'keyed-balance', > > 'portal_strip_username' => 'disabled', > > 'admin_strip_username' => 'disabled', > 'radius_auth' => '', > > 'radius_strip_username' => 'disabled', > 'eap' => 'default', > 'eduroam_radius_acct' > => '', > > 'eduroam_radius_acct_proxy_type' => 'load-balance', > > 'permit_custom_attributes' => 'disabled', > > 'eduroam_radius_auth_compute_in_pf' => 'enabled', > 'eduroam_radius_auth' > => '', > 'radius_acct' => '' > }, > 'null' => { > 'eap' => 'default', > 'radius_strip_username' > => 'disabled', > 'admin_strip_username' > => 'disabled', > 'portal_strip_username' > => 'disabled' > }, > 'fispy.mx' => { > > 'eduroam_radius_acct' => '', > 'eap' => 'default', > > 'radius_strip_username' => 'enabled', > > 'admin_strip_username' => 'enabled', > 'radius_auth' => > 'Splynx', > > 'portal_strip_username' => 'enabled', > > 'eduroam_radius_auth_proxy_type' => 'keyed-balance', > > 'radius_auth_proxy_type' => 'keyed-balance', > > 'radius_acct_proxy_type' => 'load-balance', > > 'radius_auth_compute_in_pf' => 'enabled', > > 'eduroam_radius_auth' => '', > 'radius_acct' => > 'Splynx', > > 'eduroam_radius_auth_compute_in_pf' => 'enabled', > > 'eduroam_radius_acct_proxy_type' => 'load-balance', > > 'permit_custom_attributes' => 'disabled' > } > }, > 'ConfigDomain' => {}, > 'ConfigOrderedRealm' => [ > 'default', > 'local', > 'null', > 'fispy.mx' > ] > }, > '0' => { > 'ConfigDomain' => {}, > 'ConfigRealm' => {}, > 'ConfigOrderedRealm' => [] > } > }; > our $DATA = $VAR1; > 1; > [root@wifi raddb]# > > > > On Feb 9, 2022, at 5:19 PM, Jorge Nolla <jno...@gmail.com> wrote: > > Hi Team, > > Still can’t get accounting to proxy to the billing server. I don’t see the > configuration on the proxy.conf so I imagine is pulling from this file. > > > [root@wifi raddb]# cat proxy.conf.inc > # This file is generated from a template at > /usr/local/pf/conf/radiusd/proxy.conf.inc > # Any changes made to this file will be lost on restart > > # Eduroam integration is not configured > > realm default { > > } > realm local { > > } > realm null { > > } > realm fispy.mx { > > auth_pool = auth_pool_fispy.mx > acct_pool = acct_pool_fispy.mx > } > home_server_pool auth_pool_fispy.mx { > type = keyed-balance > home_server = Splynx > } > > home_server_pool acct_pool_fispy.mx { > type = load-balance > home_server = Splynx > } > > > realm eduroam.default { > > } > > realm eduroam.local { > > } > > realm eduroam.null { > > } > > realm eduroam.fispy.mx { > > } > > > > > home_server Splynx { > ipaddr = 10.0.254.100 > port = 1812 > secret = @Put@Madr3 > type = auth+acct > status_check = status-server > } > > > > # pfacct configuration > > realm pfacct { > acct_pool = pfacct_pool > nostrip > } > > home_server_pool pfacct_pool { > home_server = pfacct_local > } > > home_server pfacct_local { > type = acct > ipaddr = 127.0.0.1 > port = 1813 > secret = 'ZDQ3YzUzMjkxM2M1NjBhM2IyMTJjNWE0' > src_ipaddr = 10.0.255.99 > } > > On Feb 8, 2022, at 11:51 AM, Jorge Nolla <jno...@gmail.com> wrote: > > Fabrice, > > For some reason I cannot get accounting forwarding to the Billing/Radius > Server. This server has the plans for the customers. > > <Screen Shot 2022-02-08 at 11.48.23 AM.png> > > > <Screen Shot 2022-02-08 at 11.50.20 AM.png> > > > <Screen Shot 2022-02-08 at 11.48.01 AM.png> > > > <Screen Shot 2022-02-08 at 11.51.33 AM.png> > > On Feb 8, 2022, at 11:39 AM, Jorge Nolla <jno...@gmail.com> wrote: > > Hi Fabrice, > > It worked. I had to change to HTTPS and DNS for the cert on the server to > work. We also changed the method to GET. Will try POST, not sure if this > will make a difference. > > my $html_form = qq[ > <form name="weblogin_form" data-autosubmit="1000" method="GET" > action="https://portal.fispy.mx:8443/login"> > <input type="hidden" name="username" value="$mac"> > <input type="hidden" name="password" value="$mac"> > </form> > <script src="/content/autosubmit.js" type="text/javascript"></script> > > Here is the a sample of the radius info on PF. Top entry is with new > configuration MAC address as username. Bottom one is the old configuration, > where we were submitting the url request manually. > > <Screen Shot 2022-02-08 at 11.34.52 AM.png> > > > On Feb 8, 2022, at 9:30 AM, Fabrice Durand <oeufd...@gmail.com> wrote: > > Yes, that's it. > > Le mar. 8 févr. 2022 à 11:23, Jorge Nolla <jno...@gmail.com> a écrit : > >> Fabrice, >> >> The document you had provided didn’t layout the configuration steps. I >> think this might be the correct document for the configuration you are >> referring. If you have a chance take a look and let me know. >> >> https://support.huawei.com/enterprise/mx/knowledge/EKB1100055064 >> >> >> >> On Feb 8, 2022, at 9:14 AM, Fabrice Durand <oeufd...@gmail.com> wrote: >> >> You can try that instead: >> >> my $html_form = qq[ >> <form name="weblogin_form" data-autosubmit="1000" method="POST" >> action="http://$controller_ip:8443/login"> >> <input type="hidden" name="username" value="$mac"> >> <input type="hidden" name="password" value="$mac"> >> </form> >> <script src="/content/autosubmit.js" >> type="text/javascript"></script> >> ]; >> >> It will pass the mac address of the device in the radius request as >> username and password instead of the real username and password who has >> been authenticated previously on the portal. >> Then you just need to configure the registration role in the switch >> configuration to be -1 (packetfence side) and if the device is unreg then >> the request will be rejected. >> >> >> Le mar. 8 févr. 2022 à 11:04, Jorge Nolla <jno...@gmail.com> a écrit : >> >>> Hi Fabrice, >>> >>> Let me check what the difference is in configuration on the AC side, >>> I’ll report within the hour. Any clues as to why the parameters are not >>> being passed? >>> >>> >>> On Feb 8, 2022, at 8:55 AM, Fabrice Durand <oeufd...@gmail.com> wrote: >>> >>> Hello Jorge, >>> >>> i really think that it´s not the correct way to support the web auth in >>> Huawei. >>> The only thing you can do with the portal is to authenticate with a >>> username and password, there is no way to do anything else >>> (sms/email/sponsor/....). >>> >>> Also when you authenticate on the portal , the portal validate your >>> username and password and with the workflow you have it will authenticate >>> twice (portal and radius) and it doesn´t make sense. >>> >>> So if you want to keep this way then you will need a simple html page >>> with a username and password field that post on >>> https://portal.fispy.mx:8443/login then configure packetfence to >>> authenticate the username and password from radius. >>> >>> The other way who looks really better is to use that: ( >>> https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_2 >>> ) >>> >>> <download.png> >>> >>> As i said , it´s exactly how it works with the cisco wlc and it will >>> support all authentication mechanisms available on the portal. >>> >>> Regards >>> Fabrice >>> >>> >>> >>> >>> Le lun. 7 févr. 2022 à 20:25, Jorge Nolla <jno...@gmail.com> a écrit : >>> >>>> >>>> Radius request from the AC once it receives the correct values. This is >>>> sent back to Radius which in this case is PF >>>> >>>> User-Name = “5blz” *<<< VALUE NEEDED IN URL as username* User-Password >>>> = "******” *<<< VALUE NEEDED IN URL as password* NAS-IP-Address = >>>> 10.7.255.2 NAS-Port = 900 Service-Type = Framed-User Framed-Protocol = PPP >>>> Framed-IP-Address = 10.9.91.31 Called-Station-Id = >>>> "c0:f6:c2:a5:c4:d0:FISPY-WiFi" Calling-Station-Id = "f0:2f:4b:14:67:d9" >>>> NAS-Identifier = "AirEngine9700-M1" NAS-Port-Type = Wireless-802.11 >>>> Acct-Session-Id = "AirEngi00000000000900d5d66c0600187" Event-Timestamp = >>>> "Feb 7 2022 18:05:13 MST" NAS-Port-Id = >>>> "slot=0;subslot=0;port=0;vlanid=900" Huawei-Loopback-Address = >>>> "C0F6-C2A5-C4D0" Huawei-User-Mac = "\000\000\000\003" Stripped-User-Name = >>>> "5blz" Realm = "null" FreeRADIUS-Client-IP-Address = 10.7.255.2 >>>> Called-Station-SSID = "FISPY-WiFi" PacketFence-KeyBalanced = >>>> "aa86741e358fa86079a91aaf4dc581f9" PacketFence-Radius-Ip = "10.0.255.99" >>>> SQL-User-Name = "5blz" >>>> >>>> On Feb 7, 2022, at 3:58 PM, Jorge Nolla <jno...@gmail.com> wrote: >>>> >>>> Hi Fabrice, >>>> >>>> I did hardcode as follow: >>>> >>>> <form name="weblogin_form" data-autosubmit="1000" method="GET" action=" >>>> https://portal.fispy.mx:8443/login?username=bob&password=bob" >>>> style="display:none"> >>>> >>>> But the redirect which the client is getting, is only this part, not >>>> sure why: >>>> >>>> https://portal.fispy.mx:8443/login? >>>> >>>> >>>> Here is the flow of the External Portal Authentication as per Huawei. >>>> Portal Server - Notify the STA of the login URL >>>> STA - Send the username and password in HTTP GET POST. When this is >>>> configured to use ISE as per the guide, the ISE server sends the redirect >>>> to the STA as per the format. >>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>> >>>> >>>> <PastedGraphic-1.tiff> >>>> >>>> On Feb 7, 2022, at 2:51 PM, Fabrice Durand <oeufd...@gmail.com> wrote: >>>> >>>> Did you try to hardcode that in the code and see if it works ? >>>> >>>> Also i don´t understand the goal of passing the username and password , >>>> is there any extra check after that ? What happen if the user register by >>>> sms/email ? >>>> >>>> And i just found that: >>>> >>>> https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_1 >>>> Is it something that can be configured on the Hawei ? If yes then it >>>> will mimic the way the Cisco WLC works. >>>> >>>> Regards >>>> Fabrice >>>> >>>> >>>> Le lun. 7 févr. 2022 à 16:01, Jorge Nolla <jno...@gmail.com> a écrit : >>>> >>>>> Hi Fabrice, >>>>> >>>>> This line needs to be HTTPS for it to work >>>>> <form name="weblogin_form" data-autosubmit="1000" method="GET" action=" >>>>> http://$controller_ip:8443/login?username=bob&password=bob" >>>>> style="display:none”> >>>>> >>>>> This needs to be the username and password which is being entered by >>>>> the user in the PF portal, which is the Radius username and password >>>>> username=bob&password=bob >>>>> >>>>> >>>>> On Feb 7, 2022, at 12:03 PM, Fabrice Durand <oeufd...@gmail.com> >>>>> wrote: >>>>> >>>>> I just pushed a fix. >>>>> >>>>> cd /usr/local/pf >>>>> curl >>>>> https://github.com/inverse-inc/packetfence/commit/7628afddf46e0226667560dc33df192f9c4cf420.diff >>>>> | patch -p1 >>>>> and restart >>>>> >>>>> Le lun. 7 févr. 2022 à 13:46, Jorge Nolla <jno...@gmail.com> a écrit : >>>>> >>>>>> Here are the log outputs for /usr/local/pf/logs/packetfence.log >>>>>> >>>>>> >>>>>> Feb 7 11:03:04 wifi packetfence_httpd.portal[61371]: >>>>>> httpd.portal(61371) INFO: [mac:[undef]] URI '/Huawei' is detected as an >>>>>> external captive portal URI (pf::web::externalportal::handle) >>>>>> Feb 7 11:03:04 wifi packetfence_httpd.portal[61371]: >>>>>> httpd.portal(61371) ERROR: [mac:[undef]] Cannot load perl module for >>>>>> switch >>>>>> type 'pf::Switch::Huawei'. Either switch type is unknown or switch type >>>>>> perl module have compilation errors. See the following message for >>>>>> details: >>>>>> (pf::web::externalportal::handle) >>>>>> Feb 7 11:03:06 wifi packetfence_httpd.portal[61370]: >>>>>> httpd.portal(61370) INFO: [mac:[undef]] URI '/Huawei' is detected as an >>>>>> external captive portal URI (pf::web::externalportal::handle) >>>>>> Feb 7 11:03:06 wifi packetfence_httpd.portal[61370]: >>>>>> httpd.portal(61370) ERROR: [mac:[undef]] Cannot load perl module for >>>>>> switch >>>>>> type 'pf::Switch::Huawei'. Either switch type is unknown or switch type >>>>>> perl module have compilation errors. See the following message for >>>>>> details: >>>>>> (pf::web::externalportal::handle) >>>>>> >>>>>> >>>>>> >>>>>> On Feb 7, 2022, at 10:50 AM, Jorge Nolla <jno...@gmail.com> wrote: >>>>>> >>>>>> Here is the output for HAProxy >>>>>> >>>>>> Feb 7 10:48:54 wifi haproxy[2285]: 10.9.215.39:63814 >>>>>> [07/Feb/2022:10:48:54.074] portal-https-10.0.255.99~ 10.0.255.99-backend/ >>>>>> 127.0.0.1 0/0/0/13/13 501 413 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx} >>>>>> "GET >>>>>> /Huawei?ac-ip=10.7.255.2&userip=10.9.215.39&ssid=FISPY-WiFi&ap-mac=f02f4b1467d9 >>>>>> HTTP/1.1” >>>>>> >>>>>> >>>>>> >>>>>> On Feb 7, 2022, at 10:06 AM, Jorge Nolla <jno...@gmail.com> wrote: >>>>>> >>>>>> Hi Fabrice, >>>>>> >>>>>> From the Pf portal after the patch is applied. >>>>>> >>>>>> type: 'Huawei' is not a valid value The chosen type (Huawei) is not >>>>>> supported. >>>>>> >>>>>> On Feb 6, 2022, at 6:49 PM, Jorge Nolla <jno...@gmail.com> wrote: >>>>>> >>>>>> >>>>>> This is the only option on the config. >>>>>> >>>>>> <Screen Shot 2022-02-06 at 6.48.16 PM.png> >>>>>> >>>>>> >>>>>> On Feb 6, 2022, at 6:41 PM, Jorge Nolla <jno...@gmail.com> wrote: >>>>>> >>>>>> Hi Fabrice, >>>>>> >>>>>> Getting an error page from PF >>>>>> >>>>>> Not Implemented >>>>>> GET no supported for current URL. >>>>>> >>>>>> How is the switch supposed to be defined in PF? >>>>>> >>>>>> >>>>>> >>>>>> On Feb 6, 2022, at 5:55 PM, Fabrice Durand <oeufd...@gmail.com> >>>>>> wrote: >>>>>> >>>>>> I am just not sure what to set for username and password, if you do >>>>>> sms auth then there is no password. >>>>>> >>>>>> Also in the url it looks that it miss the mac address of the device , >>>>>> can you try to add device-mac and see if the device mac is in the url ? >>>>>> >>>>>> Here the first draft: >>>>>> >>>>>> >>>>>> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff >>>>>> >>>>>> cd /usr/local/pf/ >>>>>> curl >>>>>> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff >>>>>> | patch -p1 >>>>>> >>>>>> then restart packetfence. >>>>>> >>>>>> On the controller: >>>>>> >>>>>> url-template name PacketFence >>>>>> url https://wifi.fispy.mx/ <https://wifi.fispy.mx/captive-portal> >>>>>> Hawei >>>>>> url-parameter device-ip device-mac ac-ip user-ipaddress userip ssid >>>>>> ssid user-mac ap-mac >>>>>> >>>>>> So when the device will be forwarded to the portal it should be able >>>>>> to recognise the mac address and the ip of the device (in the bottom). >>>>>> >>>>>> Register on the portal and you should be forwarded to >>>>>> http://$controller_ip:8443/login?username=bob&password=bob >>>>>> >>>>>> Let me know how it behave. >>>>>> >>>>>> Regards >>>>>> Fabrice >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Le dim. 6 févr. 2022 à 18:58, Jorge Nolla <jno...@gmail.com> a >>>>>> écrit : >>>>>> >>>>>>> Hi Fabrice >>>>>>> >>>>>>> This is the GET the AC is expecting: >>>>>>> >>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>> >>>>>>> If successful it will return as per image below. If it fails the AC >>>>>>> will redirect back to the Portal >>>>>>> >>>>>>> <WebAuthentication.png> >>>>>>> >>>>>>> >>>>>>> Here is the configuration: >>>>>>> >>>>>>> url-template name PacketFence >>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>> url-parameter login-url destination_url >>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>> >>>>>>> >>>>>>> HA Proxy output >>>>>>> >>>>>>> Feb 6 16:44:26 wifi haproxy[2427]: 10.9.70.173:52266 >>>>>>> [06/Feb/2022:16:44:26.153] portal-https-10.0.255.99~ >>>>>>> 10.0.255.99-backend/ >>>>>>> 127.0.0.1 0/0/0/202/202 200 9003 - - ---- 2/1/0/0/0 0/0 { >>>>>>> wifi.fispy.mx} "GET /captive-portal?destination_url= >>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>> HTTP/1.1" >>>>>>> >>>>>>> Only problem is that PacketFence is not updating the dynamic values >>>>>>> with username and password for it to work >>>>>>> >>>>>>> AC = Access Controller. This manages the APs’ as they are operating >>>>>>> in Fit/Lightweight mode. >>>>>>> AP = Access Points. These are the actual radios. >>>>>>> >>>>>>> Best Regards, >>>>>>> Jorge >>>>>>> >>>>>>> >>>>>>> On Feb 6, 2022, at 4:40 PM, Fabrice Durand <oeufd...@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>> Hello Jorge, >>>>>>> >>>>>>> i have what i need at least to be able to support the web-auth. >>>>>>> The only thing i am not sure is at the end of the registration >>>>>>> process what we are supposed to do. >>>>>>> >>>>>>> I will create a branch on github in order for you to test. (it will >>>>>>> be an update of the Huawei switch module). >>>>>>> >>>>>>> For information, what is the ac-ip ac-mac versus ap-ip ap-mac ? >>>>>>> >>>>>>> Regards >>>>>>> Fabrice >>>>>>> >>>>>>> >>>>>>> Le dim. 6 févr. 2022 à 18:30, Jorge Nolla <jno...@gmail.com> a >>>>>>> écrit : >>>>>>> >>>>>>>> If I try to manually send the redirect in the browser here is what >>>>>>>> HA proxy records. This is a simple copy and paste in the browser and >>>>>>>> the >>>>>>>> output: >>>>>>>> >>>>>>>> https://wifi.fispy.mx/captive-portal?destination_url= >>>>>>>> https://portal.fispy.mx:8443/login?username=539z&password=0uf3 >>>>>>>> >>>>>>>> 4875 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx} "GET >>>>>>>> /captive-portal?destination_url= >>>>>>>> https://portal.fispy.mx:8443/login?username=539z&password=0uf3 >>>>>>>> HTTP/1.1" >>>>>>>> >>>>>>>> >>>>>>>> It doesn’t let it go through as it seems that is trying to validate >>>>>>>> network connectivity >>>>>>>> >>>>>>>> >>>>>>>> On Feb 6, 2022, at 4:07 PM, Jorge Nolla <jno...@gmail.com> wrote: >>>>>>>> >>>>>>>> Seems weird how the format of the URL is recorded/sent >>>>>>>> >>>>>>>> >>>>>>>> Here is a normal redirect, the url is formatted correctly, >>>>>>>> >>>>>>>> >>>>>>>> Feb 6 16:03:41 wifi haproxy[2427]: 10.99.1.20:63577 >>>>>>>> [06/Feb/2022:16:03:41.232] portal-https-10.0.255.99~ >>>>>>>> 10.0.255.99-backend/ >>>>>>>> 127.0.0.1 0/0/1/233/234 200 4910 - - ---- 2/1/0/0/0 0/0 { >>>>>>>> wifi.fispy.mx} "GET /captive-portal?destination_url= >>>>>>>> https://www.fispy.mx/ HTTP/1.1" >>>>>>>> >>>>>>>> I’m not sure why the value sent by the AP has all the % and weird >>>>>>>> symbols >>>>>>>> destination%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login> >>>>>>>> >>>>>>>> >>>>>>>> On Feb 6, 2022, at 4:00 PM, Jorge Nolla <jno...@gmail.com> wrote: >>>>>>>> >>>>>>>> Hi Fabrice, >>>>>>>> >>>>>>>> Here are the options that can be added: >>>>>>>> >>>>>>>> [AirEngine9700-M1-url-template-PacketFence]url-parameter ? >>>>>>>> ap-group-name AP group name >>>>>>>> ap-ip AP IP address >>>>>>>> ap-location AP location >>>>>>>> ap-mac AP MAC address >>>>>>>> ap-name AP name >>>>>>>> device-ip Device IP address >>>>>>>> device-mac Device MAC address >>>>>>>> login-url Device's login URL provided to the external >>>>>>>> portal server >>>>>>>> mac-address Mac address >>>>>>>> redirect-url The url in user original http packet >>>>>>>> set Set >>>>>>>> ssid SSID >>>>>>>> sysname Device name >>>>>>>> user-ipaddress User IP address >>>>>>>> user-mac User MAC address >>>>>>>> >>>>>>>> >>>>>>>> url-template name PacketFence >>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>> url-parameter device-ip ac-ip user-ipaddress userip ssid ssid >>>>>>>> user-mac ap-mac >>>>>>>> >>>>>>>> >>>>>>>> 200 9003 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx} "GET >>>>>>>> /captive-portal?ac%2Dip=10%2E7%2E255%2E2&userip=10%2E9%2E70%2E173&ssid=FISPY%2DWiFi&ap%2Dmac=f02f4b1467d9 >>>>>>>> HTTP/1.1" >>>>>>>> >>>>>>>> >>>>>>>> If we do not specify the URL on this configuration, where would >>>>>>>> PacketFence get the value for the AC Web Authentication call? >>>>>>>> >>>>>>>> >>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>> >>>>>>>> Best Regards, >>>>>>>> Jorge >>>>>>>> >>>>>>>> On Feb 5, 2022, at 8:23 PM, Fabrice Durand <oeufd...@gmail.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>> Hello Jorge, >>>>>>>> >>>>>>>> what we need is the user mac and the ap information. >>>>>>>> I found that >>>>>>>> https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template >>>>>>>> >>>>>>>> Is it possible to add extra parameters like user-mac ssid ap-ip >>>>>>>> ap-mac ? >>>>>>>> >>>>>>>> And if yes can you provide me the url generated by the controller >>>>>>>> when it redirect ? (haproxy-portal log) >>>>>>>> >>>>>>>> Regards >>>>>>>> Fabrice >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Le sam. 5 févr. 2022 à 20:42, Jorge Nolla <jno...@gmail.com> a >>>>>>>> écrit : >>>>>>>> >>>>>>>>> Hi Team, >>>>>>>>> >>>>>>>>> Any input on this? We really would like to get this to work. >>>>>>>>> >>>>>>>>> Thank you! >>>>>>>>> Jorge >>>>>>>>> >>>>>>>>> On Feb 2, 2022, at 7:48 PM, Jorge Nolla <jno...@gmail.com> wrote: >>>>>>>>> >>>>>>>>> Hi Fabrice, >>>>>>>>> >>>>>>>>> This is the sequence: >>>>>>>>> >>>>>>>>> Feb 2 14:51:32 wifi haproxy[2427]: 10.9.79.52:61132 >>>>>>>>> [02/Feb/2022:14:51:32.663] portal-http-10.0.255.99 >>>>>>>>> 10.0.255.99-backend/ >>>>>>>>> 127.0.0.1 0/0/0/201/201 200 7146 - - ---- 3/1/0/0/0 0/0 { >>>>>>>>> wifi.fispy.mx} "GET /access?lang= HTTP/1.1" >>>>>>>>> Feb 2 14:51:37 wifi haproxy[2427]: 10.9.79.52:61133 >>>>>>>>> [02/Feb/2022:14:51:37.905] portal-http-10.0.255.99 static/ >>>>>>>>> 127.0.0.1 0/0/0/2/2 200 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99} >>>>>>>>> "GET /common/network-access-detection.gif?r=1643838705224 HTTP/1.1" >>>>>>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61130 >>>>>>>>> [02/Feb/2022:14:51:43.927] portal-https-10.0.255.99~ >>>>>>>>> 10.0.255.99-backend/ >>>>>>>>> 127.0.0.1 0/0/0/122/122 302 1018 - - ---- 4/1/0/0/0 0/0 { >>>>>>>>> wifi.fispy.mx} "GET >>>>>>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>> HTTP/1.1" >>>>>>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61132 >>>>>>>>> [02/Feb/2022:14:51:44.060] portal-http-10.0.255.99 >>>>>>>>> 10.0.255.99-backend/ >>>>>>>>> 127.0.0.1 0/0/0/129/129 200 7146 - - ---- 4/2/0/0/0 0/0 { >>>>>>>>> wifi.fispy.mx} "GET /access?lang= HTTP/1.1" >>>>>>>>> Feb 2 14:51:49 wifi haproxy[2427]: 10.9.79.52:61133 >>>>>>>>> [02/Feb/2022:14:51:49.219] portal-http-10.0.255.99 static/ >>>>>>>>> 127.0.0.1 0/0/0/1/1 200 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99} >>>>>>>>> "GET /common/network-access-detection.gif?r=1643838716546 HTTP/1.1" >>>>>>>>> Feb 2 14:51:55 wifi haproxy[2427]: 10.9.79.52:61130 >>>>>>>>> [02/Feb/2022:14:51:55.287] portal-https-10.0.255.99~ >>>>>>>>> 10.0.255.99-backend/ >>>>>>>>> 127.0.0.1 0/0/0/136/136 302 1018 - - ---- 4/1/0/0/0 0/0 { >>>>>>>>> wifi.fispy.mx} "GET >>>>>>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>> HTTP/1.1” >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Feb 2, 2022, at 7:12 PM, Fabrice Durand <oeufd...@gmail.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>> Hello Jorge, >>>>>>>>> >>>>>>>>> i will have a look closer. >>>>>>>>> But i have a question, when the device is forwarded to the captive >>>>>>>>> portal, (just before >>>>>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login>) >>>>>>>>> , what is the url ? >>>>>>>>> You should be able to see it in the haproxy-portal.log file. >>>>>>>>> >>>>>>>>> Regards >>>>>>>>> Fabrice >>>>>>>>> >>>>>>>>> Le mer. 2 févr. 2022 à 10:18, Jorge Nolla <jno...@gmail.com> a >>>>>>>>> écrit : >>>>>>>>> >>>>>>>>>> Hi Fabrice, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> We almost have the configuration working, but are not sure how to >>>>>>>>>> get the redirect to the client to work correctly. Attached is the >>>>>>>>>> documentation for Cisco ISE which we used for PacketFence as well. >>>>>>>>>> >>>>>>>>>> Portal.fispy.mx <http://portal.fispy.mx/> is the Huawei AC. >>>>>>>>>> >>>>>>>>>> This is the format the client should get from PacketFence. This >>>>>>>>>> is the only piece we are missing for this to work. >>>>>>>>>> >>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> If we manually click on the link above, then the flow of traffic >>>>>>>>>> works correctly CLIENT > AC > RADIUS (PacketFence), and >>>>>>>>>> authentication >>>>>>>>>> works. The problem is that when the user logs in to the portal the >>>>>>>>>> redirect >>>>>>>>>> is broken. The parameter for the redirect that PacketFence is >>>>>>>>>> serving, >>>>>>>>>> comes from a configuration parameter within the AC. This >>>>>>>>>> configuration >>>>>>>>>> works fine for Cisco ISE, but the URL format is not working for >>>>>>>>>> PacketFence. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> When we configure the redirect this is what the client is getting >>>>>>>>>> from PacketFence >>>>>>>>>> >>>>>>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> url-template name PacketFence >>>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>>> url-parameter login-url switch_url >>>>>>>>>> https://portal.fispy.mx:8443/login <<< THIS IS THE PARAMETER >>>>>>>>>> FOR THE REDIRECT TO PACKETFENCE >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> AC CONFIG >>>>>>>>>> >>>>>>>>>> authentication-profile name PacketFence >>>>>>>>>> portal-access-profile PacketFence >>>>>>>>>> free-rule-template default_free_rule >>>>>>>>>> authentication-scheme PacketFence >>>>>>>>>> accounting-scheme PacketFence >>>>>>>>>> radius-server PacketFence >>>>>>>>>> force-push url https://www.fispy.mx >>>>>>>>>> >>>>>>>>>> radius-server template PacketFence >>>>>>>>>> radius-server shared-key cipher %^%#*)l=:1.X-Yd$\<~orEF@ >>>>>>>>>> ]<}NMejv3)E^\6;7:NUY%^%# >>>>>>>>>> radius-server authentication 10.0.255.99 1812 source ip-address >>>>>>>>>> 10.7.255.2 weight 90 >>>>>>>>>> radius-server accounting 10.0.255.99 1813 source ip-address >>>>>>>>>> 10.7.255.2 weight 80 >>>>>>>>>> undo radius-server user-name domain-included >>>>>>>>>> calling-station-id mac-format unformatted >>>>>>>>>> called-station-id wlan-user-format ac-mac >>>>>>>>>> radius-server attribute translate >>>>>>>>>> radius-attribute disable HW-NAS-Startup-Time-Stamp send >>>>>>>>>> radius-attribute disable HW-IP-Host-Address send >>>>>>>>>> radius-attribute disable HW-Connect-ID send >>>>>>>>>> radius-attribute disable HW-Version send >>>>>>>>>> radius-attribute disable HW-Product-ID send >>>>>>>>>> radius-attribute disable HW-Domain-Name send >>>>>>>>>> radius-attribute disable HW-User-Extend-Info send >>>>>>>>>> >>>>>>>>>> url-template name PacketFence >>>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>>> url-parameter login-url switch_url >>>>>>>>>> https://portal.fispy.mx:8443/login <<< THIS IS THE PARAMETER >>>>>>>>>> FOR THE REDIRECT TO PACKETFENCE >>>>>>>>>> >>>>>>>>>> web-auth-server PacketFence >>>>>>>>>> server-ip 10.0.255.99 >>>>>>>>>> port 443 >>>>>>>>>> url-template PacketFence >>>>>>>>>> protocol http >>>>>>>>>> http get-method enable >>>>>>>>>> >>>>>>>>>> portal-access-profile name PacketFence >>>>>>>>>> web-auth-server PacketFence direct >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> authentication-scheme PacketFence >>>>>>>>>> authentication-mode radius >>>>>>>>>> >>>>>>>>>> wlan >>>>>>>>>> security-profile name FISPY-WiFi >>>>>>>>>> >>>>>>>>>> vap-profile name FISPY-WiFi >>>>>>>>>> service-vlan vlan-id 900 >>>>>>>>>> permit-vlan vlan-id 900 >>>>>>>>>> ssid-profile FISPY-WiFi >>>>>>>>>> security-profile FISPY-WiFi >>>>>>>>>> authentication-profile PacketFence >>>>>>>>>> sta-network-detect disable >>>>>>>>>> service-experience-analysis enable >>>>>>>>>> mdns-snooping enable >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ###CISCO ISE CONFIG TO COMPARE### >>>>>>>>>> >>>>>>>>>> url-template name CISCO-ISE >>>>>>>>>> url >>>>>>>>>> https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02 >>>>>>>>>> parameter start-mark # >>>>>>>>>> url-parameter login-url switch_url >>>>>>>>>> https://portal.fispy.mx:8443/login >>>>>>>>>> >>>>>>>>>> #################################### >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Feb 2, 2022, at 6:17 AM, Fabrice Durand <oeufd...@gmail.com> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> Hello Jorge, >>>>>>>>>> >>>>>>>>>> do you have any Huawei documentation to implement that ? >>>>>>>>>> >>>>>>>>>> Regards >>>>>>>>>> Fabrice >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Le mer. 26 janv. 2022 à 15:59, Jorge Nolla via PacketFence-users < >>>>>>>>>> packetfence-users@lists.sourceforge.net> a écrit : >>>>>>>>>> >>>>>>>>>>> Hi Team, >>>>>>>>>>> >>>>>>>>>>> We were wondering if anyone has had any success in configuring >>>>>>>>>>> Web Auth for the Huawei AC? It’s somewhat critical for us to get >>>>>>>>>>> this going. >>>>>>>>>>> >>>>>>>>>>> Thank you! >>>>>>>>>>> Jorge >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> PacketFence-users mailing list >>>>>>>>>> >>>>>>>>>> PacketFence-users@lists.sourceforge.net >>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>> >>>> >>> >> > > > >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users